On Iau, 2003-04-17 at 14:55, Richard B. Johnson wrote:
> (2) Boot with init=/bin/bash
Doesnt help you
> (5) Examine /etc/inetd.conf (if one exists). If you see an
> unusual entry near the end, you have been 'rooted'. Newer
> systems use xinetd and won't get invaded this way.
Wrong. Old xinetd < 2.3.10 has remote root exploits and real
> (6) Check /etc/passwd for a strange account.
Rootkits patch other stuff
> (7) Check /bin/login for a new file-date.
> (8) Check /usr/sbin/sendmail for a new file-date.
> Check /usr/sbin/inetd ""
> Check /usr/sbin/xinetd ""
> Check /usr/sbin/syslogd ""
> Check /usr/sbin/klogd ""
> Check /usr/sbin/in.* ""
Rootkits know about avoiding this
> If none of these have recent writes, just change the password on
> the root account and be happy. You just has some file-system
> corruption and you can fix up /etc/DIR_COLORS (for your color-ls
> problem) and fix /etc/profile or /root/.bashrc, /root/.profile
> to fix the bad environment variables created by these scripts.
Never do this. You don't know what else has changed on the system. You
should always (barring odd exceptions) do a full reinstall. Also clean
user executable files if neccessary (roots .login is often archived and
people rerun exploits from it...)
See the cert documents on recovering from an attack
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to email@example.com
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Apr 23 2003 - 22:00:21 EST